Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package himmelblau for openSUSE:Factory checked in at 2025-11-20 14:50:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/himmelblau (Old) and /work/SRC/openSUSE:Factory/.himmelblau.new.2061 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "himmelblau" Thu Nov 20 14:50:57 2025 rev:37 rq:1318747 version:1.4.2+git.0.52da279 Changes: -------- --- /work/SRC/openSUSE:Factory/himmelblau/himmelblau.changes 2025-10-01 18:56:50.946133770 +0200 +++ /work/SRC/openSUSE:Factory/.himmelblau.new.2061/himmelblau.changes 2025-11-20 14:52:34.615941370 +0100 @@ -1,0 +2,14 @@ +Wed Nov 19 19:36:55 UTC 2025 - David Mulder <[email protected]> + +- Update to version 1.4.2+git.0.52da279: + * Version 1.4.2 + * Rocky container image updates were failing + * Revert libhimmelblau unstable update + * Version 1.4.1 + * Update Intune to use app version 1.2511.7 + * Version 1.4.0 + * Resolve build failures + * deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates + * Permit NSS response for mapped primary fake group + +------------------------------------------------------------------- Old: ---- himmelblau-1.3.0+git.0.f8cabb7.tar.bz2 New: ---- himmelblau-1.4.2+git.0.52da279.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ himmelblau.spec ++++++ --- /var/tmp/diff_new_pack.7Cf6rN/_old 2025-11-20 14:52:36.380015779 +0100 +++ /var/tmp/diff_new_pack.7Cf6rN/_new 2025-11-20 14:52:36.384015948 +0100 @@ -1,7 +1,7 @@ # # spec file for package himmelblau # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: himmelblau -Version: 1.3.0+git.0.f8cabb7 +Version: 1.4.2+git.0.52da279 Release: 0 Summary: Interoperability suite for Microsoft Azure Entra Id License: GPL-3.0-or-later ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.7Cf6rN/_old 2025-11-20 14:52:36.456018985 +0100 +++ /var/tmp/diff_new_pack.7Cf6rN/_new 2025-11-20 14:52:36.460019154 +0100 @@ -3,6 +3,6 @@ <param name="url">https://github.com/openSUSE/himmelblau.git</param> <param name="changesrevision">6d2f6450ff3c0c945a884d4b35307e03a035a581</param></service><service name="tar_scm"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> - <param name="changesrevision">f8cabb7e281e6758a9bbfd2f6f19b67c5b47744c</param></service></servicedata> + <param name="changesrevision">52da279cb3d24e70ab569bfd169d5feb9fb01c10</param></service></servicedata> (No newline at EOF) ++++++ himmelblau-1.3.0+git.0.f8cabb7.tar.bz2 -> himmelblau-1.4.2+git.0.52da279.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/FUNDING.yml new/himmelblau-1.4.2+git.0.52da279/.github/FUNDING.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/FUNDING.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/FUNDING.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -# These are supported funding model platforms - -github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] -patreon: # Replace with a single Patreon username -open_collective: himmelblau -ko_fi: # Replace with a single Ko-fi username -tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel -community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry -liberapay: # Replace with a single Liberapay username -issuehunt: # Replace with a single IssueHunt username -lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry -polar: # Replace with a single Polar username -buy_me_a_coffee: # Replace with a single Buy Me a Coffee username -thanks_dev: # Replace with a single thanks.dev username -custom: ['https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8GYKFLX9UNCH2'] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/ISSUE_TEMPLATE/bug_report.md new/himmelblau-1.4.2+git.0.52da279/.github/ISSUE_TEMPLATE/bug_report.md --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/ISSUE_TEMPLATE/bug_report.md 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/ISSUE_TEMPLATE/bug_report.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,56 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: '' -labels: '' -assignees: '' - ---- - -**Description** -Please provide a clear and concise description of the bug, including the expected behavior and what actually happens. - -**Steps to Reproduce** -1. -2. -3. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Logs and Output** -Please attach relevant logs. Make sure to include outputs from the systemd journal by running: -```bash -journalctl -u himmelblaud -u himmelblaud-tasks -``` - -**Configuration** -Please attach a copy of your `/etc/himmelblau/himmelblau.conf` file. - -**Packet Trace (For Authentication Errors)** -If you are encountering an authentication error (check the systemd journal for errors related to the `himmelblaud` daemon), please capture a packet trace of the OAuth2 authentication traffic to Azure Entra ID. - -Instructions for capturing the packet trace can be found on the [Himmelblau Wiki](https://github.com/himmelblau-idm/himmelblau/wiki/Capturing-authentication-traffic-using-cirrus%E2%80%90scope). - -Please ensure any sensitive data is redacted before submission, including passwords, access tokens, refresh tokens, etc. If you prefer, you can message the developer privately on the [Himmelblau Matrix Channel](https://matrix.to/#/#himmelblau:matrix.org) to provide the packet capture. - -**Environment** -- **Linux Distro**: -- **Package source (distro package/github release/self built)**: -- **Himmelblau Version**: - -**Additional Information** -Include any additional context that might help diagnose the issue, such as recent configuration changes or related issues. - ---- - -### 💡 Help Make It Happen! -Want to see this bug fixed faster? Fund its implementation through our **Backer's Bounty** program, where you choose which bug fixes get priority! - -[](https://himmelblau-idm.org/backers.html#backers-bounty) - -For US tax exempt donations: - -[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8GYKFLX9UNCH2) - -Your support helps drive Himmelblau’s evolution! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/ISSUE_TEMPLATE/enhancement-request.md new/himmelblau-1.4.2+git.0.52da279/.github/ISSUE_TEMPLATE/enhancement-request.md --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/ISSUE_TEMPLATE/enhancement-request.md 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/ISSUE_TEMPLATE/enhancement-request.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,43 +0,0 @@ ---- -name: Enhancement Request -about: Suggest an idea for this project -title: '' -labels: '' -assignees: '' - ---- - -**Summary** -Provide a brief summary of the enhancement you are proposing. - -**Problem Statement** -Explain the problem you are trying to solve with this enhancement. Describe any limitations, pain points, or inefficiencies that currently exist. - -**Proposed Solution** -Describe your proposed solution or feature in detail. Include diagrams, code snippets, or examples if applicable. - -**Benefits** -Explain how this enhancement would improve the project. Consider user experience, performance, maintainability, or any other relevant factors. - -**Alternatives Considered** -List any alternative solutions you considered and why you chose not to pursue them. - -**Additional Context** -Provide any other context or information that may be relevant to the enhancement. This could include links to related issues, discussions, or relevant documentation. - ---- - -### 💡 Help Make It Happen! -Want to see this feature developed faster? Fund its implementation through our **Backer's Bounty** program, where you choose which features get priority! - -[](https://himmelblau-idm.org/backers.html#backers-bounty) - -For US tax exempt donations: - -[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8GYKFLX9UNCH2) - -Your support helps drive Himmelblau’s evolution! - ---- - -*Thank you for suggesting an enhancement to the Himmelblau project! Your input helps make the project better for everyone.* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/dependabot.yml new/himmelblau-1.4.2+git.0.52da279/.github/dependabot.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/dependabot.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/dependabot.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,19 +0,0 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file - -version: 2 -updates: - - package-ecosystem: "cargo" - directory: "/" - schedule: - interval: "weekly" - commit-message: - prefix: "deps(rust)" - ignore: - - dependency-name: "utoipa" - groups: - all-cargo-updates: - patterns: - - "*" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/pull_request_template.md new/himmelblau-1.4.2+git.0.52da279/.github/pull_request_template.md --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/pull_request_template.md 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/pull_request_template.md 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -Fixes # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/ci.yml new/himmelblau-1.4.2+git.0.52da279/.github/workflows/ci.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/ci.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/workflows/ci.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,155 +0,0 @@ ---- -name: CI -permissions: - contents: read - -# Trigger the workflow on push or pull request -on: - pull_request: - branches: - - main - - stable-0.1.x - - stable-0.2.x - - stable-0.3.x - - stable-0.4.x - - stable-0.5.x - - stable-0.6.x - - stable-0.7.x - - stable-0.8.x - - stable-0.9.x - - stable-1.x - -env: - SCCACHE_GHA_ENABLED: "true" - RUSTC_WRAPPER: "sccache" - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Setup sccache - uses: mozilla-actions/[email protected] - with: - version: "v0.10.0" - - name: Cache Cargo - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - name: Install dependencies - run: | - sudo apt-get update && \ - sudo apt-get install -y \ - libpam0g-dev \ - libudev-dev \ - libssl-dev \ - pkg-config \ - tpm-udev \ - libtss2-dev \ - libcap-dev \ - libdhash-dev \ - libkrb5-dev \ - libpcre2-dev \ - libclang-dev \ - autoconf \ - gettext \ - libdbus-1-dev \ - libunistring-dev \ - libgirepository1.0-dev \ - libcairo2-dev \ - libgdk-pixbuf2.0-dev \ - libsoup-3.0-dev \ - libpango1.0-dev \ - libatk1.0-dev \ - libgtk-3-dev \ - libwebkit2gtk-4.1-dev - - name: "Fetch submodules" - run: git submodule init && git submodule update - - name: "Run build" - run: cargo build --all-features --all-targets - continue-on-error: false - - clippy: - name: Clippy - runs-on: ubuntu-latest - needs: build - steps: - - uses: actions/checkout@v4 - - name: Setup sccache - uses: mozilla-actions/[email protected] - with: - version: "v0.10.0" - - name: Cache Cargo - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - name: "Run clippy" - run: cargo clippy --all-features - continue-on-error: true - - test: - name: Test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Setup sccache - uses: mozilla-actions/[email protected] - with: - version: "v0.10.0" - - name: Cache Cargo - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - name: Install dependencies - run: | - sudo apt-get update && \ - sudo apt-get install -y \ - libpam0g-dev \ - libudev-dev \ - libssl-dev \ - pkg-config \ - tpm-udev \ - libtss2-dev \ - libcap-dev \ - libdhash-dev \ - libkrb5-dev \ - libpcre2-dev \ - libclang-dev \ - autoconf \ - gettext \ - libdbus-1-dev \ - libunistring-dev \ - libgirepository1.0-dev \ - libcairo2-dev \ - libgdk-pixbuf2.0-dev \ - libsoup-3.0-dev \ - libpango1.0-dev \ - libatk1.0-dev \ - libgtk-3-dev \ - libwebkit2gtk-4.1-dev - - name: "Run tests" - run: cargo test - continue-on-error: false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/dependabot_auto_merge.yml new/himmelblau-1.4.2+git.0.52da279/.github/workflows/dependabot_auto_merge.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/dependabot_auto_merge.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/workflows/dependabot_auto_merge.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,46 +0,0 @@ ---- -# yamllint disable rule:line-length -name: Dependabot auto-approval and auto-merge -"on": - pull_request: - branches: - - main - - stable-0.1.x - - stable-0.2.x - - stable-0.3.x - - stable-0.4.x - - stable-0.5.x - - stable-0.6.x - - stable-0.7.x - - stable-0.8.x - - stable-0.9.x - - stable-1.x - -permissions: - contents: write - pull-requests: write - -jobs: - dependabot: - runs-on: ubuntu-latest - # limit this to PRs opened by dependabot - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v2 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - alert-lookup: true - compat-lookup: true - - uses: actions/checkout@v4 - - name: Enable auto-merge for Dependabot PRs - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - name: Approve a PR if not already approved - run: scripts/dependabot_automerge_check.sh "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/nixosbuild-ci.yml new/himmelblau-1.4.2+git.0.52da279/.github/workflows/nixosbuild-ci.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/nixosbuild-ci.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/workflows/nixosbuild-ci.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,19 +0,0 @@ ---- -name: NixOS-CI - -# Trigger the workflow on push or pull request -on: - pull_request: - branches: - - main - -jobs: - nixos: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - extra_nix_config: experimental-features = nix-command flakes - - run: nix flake check - - run: nix build --max-jobs 1 ".#himmelblau" ".#himmelblau-desktop" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/nixosbuild.yml new/himmelblau-1.4.2+git.0.52da279/.github/workflows/nixosbuild.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/nixosbuild.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/workflows/nixosbuild.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,26 +0,0 @@ ---- -name: NixOS -permissions: - contents: read - -# Trigger the workflow on push or pull request -on: - pull_request: - branches: - - stable-0.9.x - - stable-1.x - -jobs: - nixos: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - extra_nix_config: experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: himmelblau - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - run: nix flake check - - run: nix build --no-link --print-out-paths --max-jobs 1 ".#himmelblau" ".#himmelblau-desktop" | cachix push himmelblau diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/tag-version.yml new/himmelblau-1.4.2+git.0.52da279/.github/workflows/tag-version.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/tag-version.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/workflows/tag-version.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,38 +0,0 @@ -name: Rust Version Tagging (Post-Merge) - -on: - push: - branches: - - stable-0.5.x - - stable-0.6.x - - stable-0.7.x - - stable-0.8.x - - stable-0.9.x - - stable-1.x - -permissions: - contents: write - -jobs: - create-tag: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Git for tagging - run: | - git config --global user.name "GitHub Action" - git config --global user.email "[email protected]" - - - name: Extract version from Cargo.toml - id: get-version - run: | - VERSION=$(grep '^version =' Cargo.toml | head -n 1 | sed 's/version = "\(.*\)"/\1/') - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Create and push a new tag - run: | - git tag "$VERSION" - git push origin "$VERSION" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/version-check.yml new/himmelblau-1.4.2+git.0.52da279/.github/workflows/version-check.yml --- old/himmelblau-1.3.0+git.0.f8cabb7/.github/workflows/version-check.yml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.github/workflows/version-check.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,39 +0,0 @@ -name: Rust Version Check (Pre-Merge) - -on: - pull_request: - types: [opened, synchronize] - -permissions: - contents: read - -jobs: - check-version: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - - name: Extract version from Cargo.toml - id: get-version - run: | - VERSION=$(grep '^version =' Cargo.toml | head -n 1 | sed 's/version = "\(.*\)"/\1/') - echo "VERSION=$VERSION" >> $GITHUB_ENV - echo "Package version: $VERSION" - - - name: Check if tag exists for the version - run: | - git fetch --tags - if git rev-parse "$VERSION" >/dev/null 2>&1; then - echo "Git tag for version $VERSION already exists!" - exit 1 - else - echo "No existing tag found for version $VERSION." - fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/.gitignore new/himmelblau-1.4.2+git.0.52da279/.gitignore --- old/himmelblau-1.3.0+git.0.f8cabb7/.gitignore 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/.gitignore 1970-01-01 01:00:00.000000000 +0100 @@ -1,23 +0,0 @@ -# ---> Rust -# Generated by Cargo -# will have compiled files and executables -debug/ -target/ - -# nix output link -result -result-man -result-doc - -# These are backup files generated by rustfmt -**/*.rs.bk - -# MSVC Windows builds of rustc generate these, which store debugging information -*.pdb - -vendor/ -tags -packaging/ - -# VM image for nixos testing -*.qcow2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/Cargo.lock new/himmelblau-1.4.2+git.0.52da279/Cargo.lock --- old/himmelblau-1.3.0+git.0.f8cabb7/Cargo.lock 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/Cargo.lock 2025-10-27 20:28:53.000000000 +0100 @@ -4,7 +4,7 @@ [[package]] name = "aad-tool" -version = "1.3.0" +version = "1.4.2" dependencies = [ "anyhow", "broker-client", @@ -633,7 +633,7 @@ [[package]] name = "broker" -version = "1.3.0" +version = "1.4.2" dependencies = [ "dbus", "himmelblau_unix_common", @@ -644,7 +644,7 @@ [[package]] name = "broker-client" -version = "1.3.0" +version = "1.4.2" dependencies = [ "serde_json", "zbus", @@ -752,9 +752,9 @@ [[package]] name = "cc" -version = "1.2.38" +version = "1.2.39" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "80f41ae168f955c12fb8960b057d70d0ca153fb83182b57d86380443527be7e9" +checksum = "e1354349954c6fc9cb0deab020f27f783cf0b604e8bb754dc4658ecf0d29c35f" dependencies = [ "find-msvc-tools", "shlex", @@ -2131,7 +2131,7 @@ [[package]] name = "himmelblau_policies" -version = "1.3.0" +version = "1.4.2" dependencies = [ "anyhow", "async-trait", @@ -2153,7 +2153,7 @@ [[package]] name = "himmelblau_unix_common" -version = "1.3.0" +version = "1.4.2" dependencies = [ "anyhow", "async-trait", @@ -2194,7 +2194,7 @@ [[package]] name = "himmelblaud" -version = "1.3.0" +version = "1.4.2" dependencies = [ "async-trait", "base64 0.22.1", @@ -2580,7 +2580,7 @@ [[package]] name = "idmap" -version = "1.3.0" +version = "1.4.2" dependencies = [ "bindgen 0.72.1", "cc", @@ -2782,7 +2782,7 @@ [[package]] name = "kanidm_lib_crypto" -version = "1.3.0" +version = "1.4.2" dependencies = [ "argon2", "base64 0.22.1", @@ -2806,7 +2806,7 @@ [[package]] name = "kanidm_lib_file_permissions" -version = "1.3.0" +version = "1.4.2" dependencies = [ "kanidm_utils_users", "whoami", @@ -2814,7 +2814,7 @@ [[package]] name = "kanidm_proto" -version = "1.3.0" +version = "1.4.2" dependencies = [ "base32", "base64urlsafedata", @@ -2834,7 +2834,7 @@ [[package]] name = "kanidm_utils_users" -version = "1.3.0" +version = "1.4.2" dependencies = [ "libc", ] @@ -2900,9 +2900,9 @@ [[package]] name = "libhimmelblau" -version = "0.7.16" +version = "0.7.19" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "8d7d85c9aa04d6e54d7b305071d1f6a6a2ad542bacb2356eae3cfff1a8148118" +checksum = "ec657afd7aac26c2c31bba7915c1584b07cb2a8401e92946c6b2d1a1d6da4b12" dependencies = [ "base64 0.22.1", "browser-window", @@ -2923,6 +2923,7 @@ "reqwest", "reqwest_cookie_store", "scraper", + "semver", "serde", "serde_bytes", "serde_json", @@ -3263,13 +3264,14 @@ [[package]] name = "nss_himmelblau" -version = "1.3.0" +version = "1.4.2" dependencies = [ "himmelblau_unix_common", "lazy_static", "libc", "libnss", "paste", + "uuid", ] [[package]] @@ -3598,7 +3600,7 @@ [[package]] name = "pam_himmelblau" -version = "1.3.0" +version = "1.4.2" dependencies = [ "himmelblau_unix_common", "libc", @@ -4153,7 +4155,7 @@ [[package]] name = "qr-greeter" -version = "1.3.0" +version = "1.4.2" [[package]] name = "quote" @@ -4260,9 +4262,9 @@ [[package]] name = "regex" -version = "1.11.2" +version = "1.11.3" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "23d7fd106d8c02486a8d64e778353d1cffe08ce79ac2e82f540c86d0facf6912" +checksum = "8b5288124840bee7b386bc413c487869b360b2b4ec421ea56425128692f2a82c" dependencies = [ "aho-corasick", "memchr", @@ -4272,9 +4274,9 @@ [[package]] name = "regex-automata" -version = "0.4.9" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908" +checksum = "833eb9ce86d40ef33cb1306d8accf7bc8ec2bfea4355cbdebb3df68b40925cad" dependencies = [ "aho-corasick", "memchr", @@ -4678,9 +4680,9 @@ [[package]] name = "serde" -version = "1.0.226" +version = "1.0.228" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "0dca6411025b24b60bfa7ec1fe1f8e710ac09782dca409ee8237ba74b51295fd" +checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" dependencies = [ "serde_core", "serde_derive", @@ -4718,18 +4720,18 @@ [[package]] name = "serde_core" -version = "1.0.226" +version = "1.0.228" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "ba2ba63999edb9dac981fb34b3e5c0d111a69b0924e253ed29d83f7c99e966a4" +checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.226" +version = "1.0.228" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "8db53ae22f34573731bafa1db20f04027b2d25e02d8205921b569171699cdb33" +checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", @@ -4909,7 +4911,7 @@ [[package]] name = "sketching" -version = "1.3.0" +version = "1.4.2" dependencies = [ "num_enum", "opentelemetry", @@ -5003,11 +5005,11 @@ [[package]] name = "sshd-config" -version = "1.3.0" +version = "1.4.2" [[package]] name = "sso" -version = "1.3.0" +version = "1.4.2" dependencies = [ "broker-client", "clap", @@ -6469,9 +6471,9 @@ [[package]] name = "zeroize" -version = "1.8.1" +version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" dependencies = [ "serde", "zeroize_derive", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/Cargo.toml new/himmelblau-1.4.2+git.0.52da279/Cargo.toml --- old/himmelblau-1.3.0+git.0.f8cabb7/Cargo.toml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/Cargo.toml 2025-10-27 20:28:53.000000000 +0100 @@ -21,7 +21,7 @@ resolver = "2" [workspace.package] -version = "1.3.0" +version = "1.4.2" authors = [ "David Mulder <[email protected]>" ] @@ -36,12 +36,12 @@ pkg-config = "^0.3.32" lazy_static = "^1.4.0" paste = "^1.0.12" -serde = { version = "^1.0.226", features = ["derive"] } +serde = { version = "^1.0.228", features = ["derive"] } serde_json = "^1.0.145" tracing-subscriber = "^0.3.20" tracing = "^0.1.37" himmelblau_unix_common = { path = "src/common" } -libhimmelblau = { version = "0.7.16", features = ["broker", "changepassword", "on_behalf_of"] } +libhimmelblau = { version = "0.7.19", features = ["broker", "changepassword", "on_behalf_of"] } clap = { version = "^4.5", features = ["derive", "env"] } clap_complete = "^4.5.58" reqwest = { version = "^0.12.23", features = ["json"] } @@ -54,7 +54,7 @@ chrono = "^0.4.42" os-release = "^0.1.0" jsonwebtoken = "^9.2.0" -zeroize = "^1.7.0" +zeroize = "^1.8.2" idmap = { path = "src/idmap" } identity_dbus_broker = "0.1.4" rustls = ">=0.23.19" # CVE-2024-11738 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/images/rpm/Dockerfile.rocky10 new/himmelblau-1.4.2+git.0.52da279/images/rpm/Dockerfile.rocky10 --- old/himmelblau-1.3.0+git.0.f8cabb7/images/rpm/Dockerfile.rocky10 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/images/rpm/Dockerfile.rocky10 2025-10-27 20:28:53.000000000 +0100 @@ -1,5 +1,5 @@ # Use the official Rocky Linux 10 image as the base -FROM rockylinux:10 +FROM rockylinux/rockylinux:10 # Enable CRB repository (needed for some devel packages) RUN dnf install -y 'dnf-command(config-manager)' && \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/images/rpm/Dockerfile.rocky8 new/himmelblau-1.4.2+git.0.52da279/images/rpm/Dockerfile.rocky8 --- old/himmelblau-1.3.0+git.0.f8cabb7/images/rpm/Dockerfile.rocky8 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/images/rpm/Dockerfile.rocky8 2025-10-27 20:28:53.000000000 +0100 @@ -1,5 +1,5 @@ # Use the official Rocky Linux 8 image as the base -FROM rockylinux:8 +FROM rockylinux/rockylinux:8 # Set environment variables for non-interactive installs ENV YUM_VERSION=8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/images/rpm/Dockerfile.rocky9 new/himmelblau-1.4.2+git.0.52da279/images/rpm/Dockerfile.rocky9 --- old/himmelblau-1.3.0+git.0.f8cabb7/images/rpm/Dockerfile.rocky9 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/images/rpm/Dockerfile.rocky9 2025-10-27 20:28:53.000000000 +0100 @@ -1,5 +1,5 @@ # Use the official Rocky Linux 9 image as the base -FROM rockylinux:9 +FROM rockylinux/rockylinux:9 # Set environment variables for non-interactive installs ENV YUM_VERSION=8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/src/common/Cargo.toml new/himmelblau-1.4.2+git.0.52da279/src/common/Cargo.toml --- old/himmelblau-1.3.0+git.0.f8cabb7/src/common/Cargo.toml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/src/common/Cargo.toml 2025-10-27 20:28:53.000000000 +0100 @@ -48,7 +48,7 @@ csv = { workspace = true } sketching = { workspace = true } kanidm_lib_file_permissions.workspace = true -regex = "1.11.2" +regex = "1.11.3" sha2 = "0.10.9" base64.workspace = true authenticator = { version = "0.4.1", default-features = false, features = ["crypto_openssl"] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/src/common/src/idprovider/himmelblau.rs new/himmelblau-1.4.2+git.0.52da279/src/common/src/idprovider/himmelblau.rs --- old/himmelblau-1.3.0+git.0.f8cabb7/src/common/src/idprovider/himmelblau.rs 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/src/common/src/idprovider/himmelblau.rs 2025-10-27 20:28:53.000000000 +0100 @@ -49,7 +49,6 @@ use regex::Regex; use reqwest; use reqwest::Url; -use serde::{Deserialize, Serialize}; use std::collections::HashMap; use std::sync::Arc; use std::thread::sleep; @@ -78,9 +77,6 @@ }}; } -#[derive(Deserialize, Serialize)] -struct Token(Option<String>, String); - pub struct HimmelblauMultiProvider { config: Arc<RwLock<HimmelblauConfig>>, providers: Arc<RwLock<HashMap<String, HimmelblauProvider>>>, @@ -2934,6 +2930,15 @@ Some(name) => name, None => value.id.clone(), }; + // Prohibit group names which look like a UPN + if name.contains("@") { + // Including the "@" symbol in a group name is discouraged by MS, + // and permits a potential name collision risk (a user could + // create a group which collides with a fake primary group). + // Group names with an "@" will also resolve via NSS, which we + // NEVER permit (see CVE-2025-49012). + return Err(anyhow!("Group names cannot contain the '@' symbol.")); + } let id = Uuid::parse_str(&value.id).map_err(|e| anyhow!("Failed parsing user uuid: {}", e))?; let idmap = self.idmap.read().await; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/src/idmap/Cargo.toml new/himmelblau-1.4.2+git.0.52da279/src/idmap/Cargo.toml --- old/himmelblau-1.3.0+git.0.f8cabb7/src/idmap/Cargo.toml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/src/idmap/Cargo.toml 2025-10-27 20:28:53.000000000 +0100 @@ -19,5 +19,5 @@ uuid.workspace = true [build-dependencies] -cc = "1.2.38" +cc = "1.2.39" bindgen = "0.72.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/src/nss/Cargo.toml new/himmelblau-1.4.2+git.0.52da279/src/nss/Cargo.toml --- old/himmelblau-1.3.0+git.0.f8cabb7/src/nss/Cargo.toml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/src/nss/Cargo.toml 2025-10-27 20:28:53.000000000 +0100 @@ -21,6 +21,7 @@ libc = { workspace = true } paste = { workspace = true } lazy_static = { workspace = true } +uuid = { workspace = true } [package.metadata.deb] name = "nss-himmelblau" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/src/nss/src/implementation.rs new/himmelblau-1.4.2+git.0.52da279/src/nss/src/implementation.rs --- old/himmelblau-1.3.0+git.0.f8cabb7/src/nss/src/implementation.rs 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/src/nss/src/implementation.rs 2025-10-27 20:28:53.000000000 +0100 @@ -16,6 +16,7 @@ use libnss::group::{Group, GroupHooks}; use libnss::interop::Response; use libnss::passwd::{Passwd, PasswdHooks}; +use uuid::Uuid; struct HimmelblauPasswd; libnss_passwd_hooks!(himmelblau, HimmelblauPasswd); @@ -274,7 +275,6 @@ } }; let upn = cfg.map_name_to_upn(&name); - let req = ClientRequest::NssGroupByName(upn.clone()); let mut daemon_client = match DaemonClientBlocking::new(cfg.get_socket_path().as_str()) { Ok(dc) => dc, Err(_) => { @@ -282,67 +282,69 @@ } }; - let resp = match daemon_client - .call_and_wait(&req, cfg.get_unix_sock_timeout()) - .map(|r| match r { - ClientResponse::NssGroup(opt) => opt - .map(|ng| { - let mut group = group_from_nssgroup(ng); - group.name = cfg.map_upn_to_name(&group.name); - group.members = group - .members - .into_iter() - .map(|member| cfg.map_upn_to_name(&member)) - .collect(); - Response::Success(group) - }) - .unwrap_or_else(|| Response::NotFound), - _ => Response::NotFound, - }) - .unwrap_or_else(|_| Response::NotFound) - { + // Attempt to respond to a request for the fake primary group name. + match if upn.contains("@") { + let req = ClientRequest::NssGroupByName(upn); + daemon_client + .call_and_wait(&req, cfg.get_unix_sock_timeout()) + .map(|r| match r { + ClientResponse::NssGroup(opt) => opt + .map(|ng| { + let mut group = group_from_nssgroup(ng); + group.name = cfg.map_upn_to_name(&group.name); + group.members = group + .members + .into_iter() + .map(|member| cfg.map_upn_to_name(&member)) + .collect(); + Response::Success(group) + }) + .unwrap_or_else(|| Response::NotFound), + _ => Response::NotFound, + }) + .unwrap_or_else(|_| Response::NotFound) + } else { + Response::NotFound + } { Response::NotFound => { // If the mapped UPN name isn't found, then this is probably a // real Entra Id group, instead of a fake primary group. - let req = ClientRequest::NssGroupByName(name.clone()); - daemon_client - .call_and_wait(&req, cfg.get_unix_sock_timeout()) - .map(|r| match r { - ClientResponse::NssGroup(opt) => opt - .map(|ng| { - let mut group = group_from_nssgroup(ng); - group.members = group - .members - .into_iter() - .map(|member| cfg.map_upn_to_name(&member)) - .collect(); - Response::Success(group) - }) - .unwrap_or_else(|| Response::NotFound), - _ => Response::NotFound, - }) - .unwrap_or_else(|_| Response::NotFound) - } - other => other, - }; - match resp { - Response::Success(group) => { - // Never ever EVER respond to a group request by Entra Id group - // name. This is a SECURITY RISK! See CVE-2025-49012. Group - // names ARE NOT unique in Entra Id. Responding to this name - // request could expose SUDO and other privileged commands to - // an attacker. Admins should only ever specify group names in - // configuration via the Object Id GUID or the GID. Ignoring - // this request will still permit commands such as `ls`, etc - // to display the group name, while prohibiting dangerous - // behavior. - if group.name.to_lowercase() == name.to_lowercase() { - Response::NotFound + // + // If this appears to be a GUID, we can respond to that request (but + // we have to validate that GUID wasn't the Group name!). + if Uuid::parse_str(&name).is_ok() { + let req = ClientRequest::NssGroupByName(name.clone()); + daemon_client + .call_and_wait(&req, cfg.get_unix_sock_timeout()) + .map(|r| match r { + ClientResponse::NssGroup(opt) => opt + .map(|ng| { + let group = group_from_nssgroup(ng); + // We can only respond if the request was not by name + if name.to_lowercase() != group.name.to_lowercase() { + Response::Success(group) + } else { + Response::NotFound + } + }) + .unwrap_or_else(|| Response::NotFound), + _ => Response::NotFound, + }) + .unwrap_or_else(|_| Response::NotFound) } else { - Response::Success(group) + // Never ever EVER respond to a group request by Entra Id group + // name. This is a SECURITY RISK! See CVE-2025-49012. Group + // names ARE NOT unique in Entra Id. Responding to this name + // request could expose SUDO and other privileged commands to + // an attacker. Admins should only ever specify group names in + // configuration via the Object Id GUID or the GID. Ignoring + // this request will still permit commands such as `ls`, etc + // to display the group name, while prohibiting dangerous + // behavior. + Response::NotFound } } - _ => resp, + other => other, } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-1.3.0+git.0.f8cabb7/src/policies/Cargo.toml new/himmelblau-1.4.2+git.0.52da279/src/policies/Cargo.toml --- old/himmelblau-1.3.0+git.0.f8cabb7/src/policies/Cargo.toml 2025-09-24 21:12:25.000000000 +0200 +++ new/himmelblau-1.4.2+git.0.52da279/src/policies/Cargo.toml 2025-10-27 20:28:53.000000000 +0100 @@ -20,7 +20,7 @@ serde_json = { workspace = true } anyhow = { workspace = true } async-trait = { workspace = true } -regex = "^1.11.2" +regex = "^1.11.3" base64.workspace = true tokio.workspace = true himmelblau_unix_common = { workspace = true } ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/himmelblau/vendor.tar.zst /work/SRC/openSUSE:Factory/.himmelblau.new.2061/vendor.tar.zst differ: char 7, line 1
